October 2017 Review: The Ransomware Risk

“If you create anti-malware products, the days of looking something up in a virus definition file are long gone,” warned our speaker Chris Furey. Chris is a founder, managing partner and chief technical officer of Danbury-based Virtual Density. Virtual Density is in the business of taking physical assets such as PCs and servers, and converting them to virtual, cloud-based assets for dependable IT that doesn’t have to sit on a lap, or a server so to be accessed anywhere.

I lost precious media files back in my Windows XP days visiting malicious websites. I heard, “Back up, back up, AND back up,” every other week on a computer radio show – without explaining HOW: with an external drive and its software. Or today storing files in the cloud.

Companies used to be more rigid about which files each employee needed access to, but that’s being lost to sharing servers. The cost of convenience is security. Chris told of ransomware striking a business client three times, in the course of opening emailed resumes. They recovered with their backup on the first strike. The second time, backup [done using an external hard drive and its software, or cloud services] had been mistakenly left offline for an extended period. But by examining the strain of ransomware [I suspect from its signature ransom note], in this fortunate instance there was a public key found online, perhaps reverse engineered, to treat, decrypt and restore affected files. Alas, when caught off base for ransomware strike number three the company bit the bullet opting to pay the ransom, demanded in bitcoin – a cryptocurrency by which criminal perpetrators elude capture and prosecution. Chris told of the tangled stages of transacting bitcoin that spanned days. Buying bitcoin by credit card was negated by about a $75 cap, whereas ransoms usually run $500 and up.

When your screen displays a ransom note “you are a victim of crimeware . . . where the money is today.” Crimeware is any program, application or agent that delivers a payload into a computer system that elicits illegal activity.

Phishing and Spear Phishing

Ransonware enters a user’s system via clicking on an email link or opening an email attachment, or maybe by clicking on a malicious ad, or visiting an infecting website. In 70% of incidences ransomware gets through the firewall and email scanner, lurking – waiting to get in by luring a person’s curious nature to click on things – what phishing is designed to exploit. Phishing is the route by which ransomware is distributed. The typical payload contains a document. When you open up that document it uses a dropper program that basically executes in the background, purposefully not using your system resources so as not to give itself away, and it may sit dormant awhile. Once it launches it scans the local hard drive and looks for any network. When it begins encrypting files to lock them up it puts a graffiti tag-like extension at the end of that file to indicate it’s been encrypted. Before clicking on a link in an open email one should double-check its authenticity by hovering the mouse over the link to open a box in the lower left corner that reveals the actual hyperlink.

Mass phishing attack emails tend to be sloppily written. Spear phishing targets an individual or company, by perhaps spoofing – masquerading as – trusted email from Amazon, Netflix, UPS, Facebook, YouTube, anyone. As with hyperlink checking, one may hover the mouse over the addresser to reveal a suspicious email’s true sender, or right-click to check it in the email’s header. The FBI claims 2016 losses from spear phishing attacks to be $3.1 billion, but companies often won’t disclose they were victimized for publicity reasons. HIPAA doesn’t require disclosure of confidential medical patient data theft.

Generic salutations, poor grammar, misspelling, urgency, threats, or any request to verify an account or provide personal information are tip-offs of phishing emails. Beware of an attachment with a non-standard file extension, such as ending in m (for macro), or .zip files which easily conceal malware. A phishing target could be fooled by info available from prior data breaches, or by social engineering calls to colleagues to disclose confidential information that may be used to fool you. Inspect suspicious email addresses for lookalike registered domain names. Chris recommends any business register both the .com and .net website domain. In Chris’ mind, employees’ liability to phishing’s bait should be ferreted out with clandestine emails containing inert payloads, followed by a, “Here’s where you went wrong,” conversation.

The vast majority of attacks are by organized crime. Russia, Ukraine, and Vietnam are places where universities supply hirees for crimeware. Because they are versatile, ransomware phishing campaigns are thought to have a 30% return, which is 6x more effective than legitimate email campaigns.

The Bitter Pill of Paying a Bitcoin Ransom

You can’t know the trustworthiness of the perpetrators. There’s nothing stopping the malicious thief from just running off with the paid ransom, without decrypting the encrypted files. In Chris’ experience assisting ransonware victims, most ransom holders do restore files after payment, and will extend deadlines.

To pay by bitcoin, an account must be set up, which is done by first buying or obtaining a bitcoin wallet [as confusing as paying by the digital currency]. Many sources distribute bitcoin wallets, and many pretend to. Chris and an audience member used Coinbase to obtain the bitcoin wallet. Coinbase required two-factor authentication, for which the audience member used Authy with his phone and home computer. One must next arrange a transfer of bitcoin to the bitcoin wallet. One converts dollars to whatever the current exchange rate for bitcoins is, plus a service fee, and puts that into the bitcoin wallet.

In a 3 am Google search Chris found a “banker” who’d transfer the funds. Chris agreed to meet “his new banker” at a Ridgefield coffee shop; he charged a percentage amounting to about $80, plus overcharging a bit much, Chris said, $40 over the day’s bitcoin exchange rate.

On to transferring the funds. Don’t use the infected computer to pay the ransom – chances are it’s also been infected with a key-logger or something else, if you haven’t been thorough to clean the computer out with something like Malwarebytes or HitmanPro. Chris likes to make four passes with different products before declaring the computer clean. [Note: UK-based security giant Sophos acquired SurfRight, the Dutch developer of HitmanPro, in December 2015.]

The ransomware is designed for victims to be able to traverse to the dark web where illicit stuff is traded in anonymity, where regular browsers don’t go, and the malware controls the transaction. Cops won’t help you. Chris has conversed with the FBI, but they lack the skills and resources. In Bridgeport he was told they half-understand it. They don’t even do incident tracking.

When you click to pay the ransom it sets up a VPN connection using the Tor anonymizing browser to find places on the dark web and for confidential communication. It sends a message if payment has been made, and sends the key to decrypt your files. There’s a little file that you download that will let you decrypt one or two files for free and they do that as some sort of good faith that you will get your files back. They do that by giving you a code that’s not going to decrypt everything. They give you a key that will pretty much undo everything. Chris has seen some files that did not get decrypted.

The recent widespead WannaCry attack was disarmed before going out all over the world, but in the disarming process the keys to those that hadn’t yet paid the ransom to decrypt their files was lost forever.

If dragging folders and files over from backup, search for strange file extensions and delete those files. The tools that you use to catch the malware itself, Malwarebytes or apps, won’t restore encrypted files. Chris answered that the major difference between the free and pay versions of Malwarebytes is the included scheduling and more frequent updates.

Advances in Ransomware Control

Of the multiple defenses he uses Chris raved of a small Dutch company that detected ransomware in real time. Their product did so by examining the CPU, RAM, and disk drive to create a baseline of normal usage, from which it would notice odd disk drive writing behavior, network usage, and CPU usage characteristic of ransomware encryption. The product caches disk writes and queues those files up, and the moment it catches files becoming encrypted, usually within 5-6 files, it stops the disk writing and restores files to their pre-encryption versions. They were acquired by Sophos, a UK-based security company that Chris networked with at a spring security conference. [Note: Days after the general meeting Sophos held a Netherlands Day conference.] Chris said Sophos took it off the market until they incorporate it into a larger product, but Chris said a vendor he wouldn’t divulge has license to sell it through year’s end. Chris wanted to maintain his company’s secret advantages. Sophos also acquired Virginia-based machine learning malware detection and prevention company Invincea in February 2017 [Note: Invincea had acquired sandbox isolation pioneer Sandboxie in 2013]. The performance penalty in running these real-time protections should be worthwhile. Chris endorsed a Sophos free download. Which? Their free antivirus is available from https://home.sophos.com . I’ve also seen a free HitmanPro scan offer, and other free trials. [Sophos has a YouTube channel.]

For Mac drives someone at Chris’ company uses a data recovery tool which can be used remotely.

Encrypting your files would safeguard them from ransomware. Though they fall vulnerable while decrypted during use, and there’s a performance price for encrypting. Chris’ cloud backup encrypts files prior to sending them to the cloud, which is then sent to the cloud by an encrypted SSL connection, or an encrypted connection in another port.

Days after the October general meeting Microsoft announced its Windows 10 fall update addresses ransomware attacks with a new Controlled Folder Access option in Windows Defender, protecting libraries and other folders a user may include.

Advances in Spreading Ransomware

The dark web’s fastest growing toolkits are phishing kits. If you’ve run a wizard to install anything on your home computer, well, there are wizards for phishing construction kits for sale, where one could check off desired attributes. Website cloning software can deploy graphics to look like a legit site. Or a kit can create spam and send them out to victims in bulk. Thanks to NSA vulnerability, tools they developed are available on the dark web.

Chris answered, for years there were PC sandboxes that were like Teflon for sessions, nothing would stick. But ransomware now can detect sandboxes, lay dormant, and weasel in.

Chris said he’s not seeing variable fuses on the ransonware bomb, yet, by which the backup’s infection would not be apparent when you went to back up your attacked computer. Chris thinks the next step, ransomware that waits 30 days, is certain, because this organizations’ backups will likely be infected, and ransom payment is guaranteed. Most organizations can’t go back 30 days for a clean back up. Best unplug your backup when you backing up is done to reduce infection opportunities.

Chris answered he hasn’t seen phone-ruining ransomware, but that doesn’t mean it couldn’t happen.

Chris answered automatic back up is best. The key with backups is putting in enough work in progress that rolling back 6 hours won’t hurt you. Ransomware has gotten sophisticated enough to recognize file extensions of popular back up applications. Problem is, when your backup is hooked in and sharing in the network it will get infected, too.

An acquaintance victimized by ransomware advised:
“Be willing to let your things go. Take the risk, otherwise you are Encouraging, Aiding and Abetting Global Terrorist Tech Criminals. Back it up. Baby.”

DACS News

Your Board of Directors would like to announce some exciting changes to DACS. We have found an opportunity that will allow us to continue providing monthly meetings with speakers on technical topics … [Read More...]

By Mike Kaltschnee, Co-Director, Danbury Hackerspace.
We’re excited to help DACS continue, but in a different form. When I was 19 I was a regular at Computer Ease, a local computer store, and one … [Read More...]

Have you ever wondered who the other members of DACS are, what their interests are, and whether they have experience and knowledge that could benefit you? Would you like to be able to identify and … [Read More...]